Installation and Upgrade Guides › Policy Server Installation Guide › Configuring LDAP Directory Servers as a Policy or Key Store › Create a Policy Store in an LDAP Directory › How to Configure the Policy Server to Use ADAM/AD LDS as a Policy Store › ADAM/AD LDS Policy Store Prerequisites

ADAM/AD LDS Policy Store Prerequisites

Be sure to meet the following prerequisites before configuring ADAM or AD LDS as a policy store:

• Create a policy store partition.
• (ADAM) Patch the ADAM Server

  Apply Microsoft patch Q840991 to the ADAM server. This patch lets you create users in the configuration partition. Only users with administrative rights in this partition can import the policy store schema. You can download the patch at www.microsoft.com or by contacting Microsoft Product Support.

• Allow users to be created in the application partition.

  Only an administrative user in the configuration partition can import the policy store schema. This user must have administrative rights over the configuration partition and all application partitions, including the policy store partition.

  Note: The following procedure assumes that you are familiar with configuration, application, and schema partitions.

To allow users to be created in the application partition

1. Open the ADSI Edit console.
2. Create a user in the configuration partition, reset the user’s password, and give this user administrative rights over the configuration partition and all of the application partitions, including the policy store partition, by navigating to the following in the configuration partition:

   cn=directory service, cn=windows nt,

   cn=services,cn=configuration,cn={guid}

3. Locate the msDS-Other-Settings attribute.
4. Add the following new value to the msDS-Other-Settings attribute:

   ADAMAllowADAMSecurityPrincipalsInConfigPartition=1

5. In the configuration and policy store application partitions:
   1. Navigate to CN=Administrators, CN=Roles.
   2. Open the properties of CN=Administrators.
   3. Edit the member attribute.
   4. Do one of the following:
      • (ADAM 2000 and 2003) Click Add ADAM Account and paste the full DN of the user you created in the configuration partition.
      • (AD LDS) Click Add DN and paste the full DN of the user you created in the configuration partition.
   5. Go to the properties of the user you created and verify the value for the following object:

      msDS-UserAccountDisabled

      Be sure that the value is set to false.

Once you have met the prerequisites, do one of the following:

• Automatically configure the policy store data by running the Configuration Wizard using a GUI or console window.
• Manually configure the policy store data in the LDAP directory.

More Information:

Run the Configuration Wizard Using a GUI or Console Window

Manually Configure Policy Store Data in an LDAP Directory